Sending DNS queries to eight non-DNS IP addresses within the Chinese IP range reliably detects GFW DNS poisoning: any response indicates the censor intercepted and replied to the query, since a legitimate non-DNS server would not respond. This external vantage-point technique discovers poisoned domains without in-country volunteers or local infrastructure.

High-power seed domains including uyghuramerican.org, dw.com, hrw.org, and eastturkistaninfo.com each produced TF-IDF descriptive tags that led to discovery of more filtered URLs from other domains than the total number of URLs crawled from those seeds themselves. Content-category analysis of the 1,355 poisoned domains showed filtering-avoidance tools, news, educational content, and human-rights sites among the most heavily targeted categories.

§V-B, §V-D, Fig. 2, Fig. 7 evaluation

Approximately 95% of the 115,337 filtered URLs discovered in China were concentrated in just 15 large domains; the overall hit rate across the full crawl was 4.11 poisoned domains per 1,000 domains crawled. This concentration means aggregate filtered-URL counts in existing lists are dominated by a few major platforms while the broader tail of blocked domains remains largely undiscovered.

§V-A, §V-C, Fig. 4 evaluation

FilteredWeb discovered 1,355 DNS-poisoned domains and 115,337 filtered URLs in China through 54,000 web searches by February 2017 — 30 times more poisoned domains than the most widely-used published filter list (Citizen Lab, which identified 44 domains). Of the 1,355 domains, 759 fell outside the Alexa Top 1,000, demonstrating that automated search-based discovery surfaces obscure filtered content missed by manual and volunteer-driven lists.

§V-A, Table I, Table II evaluation

Of 6,915,266 domains extracted from the 572 GiB Geedge Networks Leak (GNL), 298,955 censored domains (93.7% of all GNL-censored domains) appear in neither Tranco top-1M nor CitizenLab test lists. Measurements across China (Guangzhou/Nanjing), Myanmar, Pakistan, and Algeria confirmed censorship via DNS injection and SNI-based TLS connection termination. The GNL covers 25–62% of Tranco-censored domains across countries, showing substantial but incomplete overlap. This vendor-side ground truth reveals a censorship surface roughly two orders of magnitude larger than curated academic test lists.

2026-sheffey-geedge §4.1, Table 2 dpisni-blockingdns-poisoningmeasurement-platform

Majority-vote ML inference (OCSVM + IF) over OONI data uncovered at least 5 previously undocumented DNS injection IPs active in Russia (e.g., 195.19.90.226, 95.167.13.51, 61.95.167.13.50, 188.19.132.154, 144.85.142.29.248) absent from OONI's existing blocking-fingerprints database, along with novel fingerprints in Italy, Czech Republic, and the UK. Records with fewer than 50 instances were excluded as a conservative false-positive filter.

2024-calle-toward §4.3, Table 5 dns-poisoningml-classifiermeasurement-platform

XGBoost trained on a single month of OONI data achieves near-optimal performance; expanding the training window to 24 months produces deviations of only 0–5 percentage points for FNR, 0.07 PP for FPR, and 0.10 PP for accuracy — suggesting that larger windows introduce noise and overfitting rather than improving detection. Isolation Forest performance degrades more sharply, with accuracy dropping ~5 PP as training data grows beyond 6 months.

2024-calle-toward §4.2, Figure 3 dns-poisoningml-classifiermeasurement-platform

For the Isolation Forest model, resolver ASN (SHAP importance 0.237) and probe ASN (0.220) are the two most predictive features for DNS tampering, reflecting that censorship is topologically concentrated at specific network vantage points. For XGBoost, headers_match dominates (0.317), followed by asn_control_match (0.177), indicating that supervised models rely more on cross-layer consistency signals. DNS tampering represents only 0.5–0.8% of all OONI measurements across 2022–2023 (Figure 2), creating severe class imbalance in any training set.

2024-calle-toward §4.1, Table 4, Figure 2 dns-poisoningml-classifiermeasurement-platform

XGBoost achieves a False Positive Rate of 0.0005, True Positive Rate of 0.9403, and overall accuracy of 0.9991 on OONI global DNS measurement data (2.5% stratified sample), vastly outperforming unsupervised alternatives: Isolation Forest achieves FPR 0.1321 / ACC 0.8699, and One-Class SVM degrades to FPR 0.9711 / ACC 0.0598, making OCSVM effectively unusable for this task.

2024-calle-toward §4.1, Table 3 dns-poisoningml-classifiermeasurement-platform

Brown et al. (2023) combined supervised ML models trained on expert-labeled data with unsupervised models establishing a baseline of 'normal' behavior to detect DNS-based censorship from Satellite and OONI datasets, achieving high true-positive rates for both known and new DNS censorship instances. The hybrid supervised/unsupervised approach is proposed as a template for the LLM-based system.

2024-gao-extended §2 Related Works dns-poisoningmeasurement-platformml-classifier